The Latest in IT Security

Fake Craiglist emails / paranoiknepjet.ru

06
Jun
2012

Here are two examples of fake Craiglist emails leading to malware on paranoiknepjet.ru. If you have any other samples, then please consider sharing them in the Comments..

From: craigslist – automated message, do not reply
Sent: 06 June 2012 14:32
Subject: POST/EDIT/DELETE : “Film maker & Actor/Actress” (crew)

IMPORTANT – FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:
•    PUBLISH YOUR AD
•    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
•    VERIFY YOUR EMAIL ADDRESS
•    DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL – you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

========================

From: craigslist – automated message, do not reply
Sent: Tue 05/06/2012 21:43
Subject: POST/EDIT/DELETE : “Real professional tattoo work” (cycle)

IMPORTANT – FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:
•    PUBLISH YOUR AD
•    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
•    VERIFY YOUR EMAIL ADDRESS
•    DELETE YOUR AD
If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL – you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

The link in the email leads to a malicious payload at [donotclick]http://paranoiknepjet.ru:8080/forum/showthread.php?page=5fa58bce769e5c2c (report here) hosted on some IP addresses we have already seen.

50.57.43.49
50.57.88.200
184.106.200.65
187.85.160.106

I can identify the following domains on those IPs, all of which can be considered to be malicious:

girlsnotcryz.ru
holigaansongeer.ru
immerialtv.ru
insomniacporeed.ru
mazdaforumi.ru
norilsknikeli.ru
opimmerialtv.ru
piloramamoskow.ru
spbfotomontag.ru
uzindexation.ru

Added:another one..
Date:      Wed, 6 Jun 2012 02:48:02 +0000
From:      “craigslist – automated message, do not reply” [[email protected]]
Subject:      POST/EDIT/DELETE : “we have moving supplies “check us out”” (sublets / temporary)

IMPORTANT – FURTHER ACTION IS REQUIRED TO COMPLETE YOUR REQUEST !!!

FOLLOW THE WEB ADDRESS BELOW TO:

    PUBLISH YOUR AD
    EDIT (OR CONFIRM AN EDIT TO) YOUR AD
    VERIFY YOUR EMAIL ADDRESS
    DELETE YOUR AD

If not clickable, please copy and paste the address to your browser:

Click here

PLEASE KEEP THIS EMAIL – you may need it to manage your posting!

Your posting will expire off the site 7 days after it was created.

Thanks for using craigslist!  

Leave a reply


Categories

TUESDAY, DECEMBER 10, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments